Only a week and a half after Happtique announced that it had certified 19 health and medical apps through its new Health App Certification Program (HACP), the company suspended the program after a software developer revealed security vulnerabilities, according to a MedCity News article.
"The industry, consumers, and anyone putting stock in Happtique's certification should understand these issues," wrote Harold Smith III, CEO of Monkton Health, in a blog post. "Happtique can and I am sure will try to correct these issues, but for the life of me--how did anyone miss such massive security holes? These aren't just things you miss…I wouldn't put a single App I have developed through their certification process at this point."
In late February, Happtique published final standards for its mHealth application certification program that the company hoped would serve as a "good housekeeping seal of approval" for mobile healthcare apps. HACP is designed to evaluate and certify mHealth apps against final standards which Happtique had called a "first-of-its-kind program" to test app privacy, security and content.
Technical testing for the program is conducted by Intertek in order to verify privacy, security, and operability standards. However, Smith identified two apps certified under HACP that had security issues, including usernames and passwords stored in plain text and data stored and sent in plain text.
"Happtique farms out the validation of the actual software to Intertek. I cannot comprehend how both Happtique and Intertek failed to catch these litany of issues present in both products," states Smith's blog. "Storing plain text passwords is unreal. Storing unencrypted ePHI [electronic protected health information] is crazy. Sending ePHI over HTTP is inexcusable."
Earlier this year, Rep. Hank Johnson (D-Ga.) released draft legislation that would safeguard the privacy of mobile device users by requiring mobile app developers--including those for mHealth apps--to disclose how they collect personal data and which third parties would have access to that data. Johnson unveiled the draft of the bill on AppRights, a web-based legislative project launched in July 2012 to facilitate public discussion about how Congress can help ensure consumer privacy on mobile devices.
The Application Privacy, Protection and Security (APPS) Act of 2013 would inform consumers what information is collected and how long it could be stored, ostensibly allowing them to prevent mobile app developers from sharing or collecting their data. According to the proposed legislation, developers would have to identify the consumers before collecting any personal data and obtain their consent.